0
votes

I am trying to build a AWS lambda based application with AWS SAM. while deployment, I have noticed that one of the IAM Policy created for lambda has wrong ARN. As you can see below(It is malformed):

{
    "Statement": [
        {
            "Action": [
                "dynamodb:PutItem",
                "dynamodb:UpdateItem",
                "dynamodb:BatchWriteItem"
            ],
            "Resource": [
                "arn:aws:dynamodb:ap-south-1:286214033472:table/arn:aws:dynamodb:ap-south-1:286214033472:table/damoLambda-DynamoDBTable-11I5VYQXQKPHH",
                "arn:aws:dynamodb:ap-south-1:286214033472:table/arn:aws:dynamodb:ap-south-1:286214033472:table/damoLambda-DynamoDBTable-11I5VYQXQKPHH/index/*"
            ],
            "Effect": "Allow"
        }
    ]
}

DynamoDB Table itself is created by SAM template and refered in lambda policy section, As below:

  TestFunction:
    Type: AWS::Serverless::Function 
    Properties:
      CodeUri: FileExtractorFunction
      Handler: helloworld.App::handleRequest
      Runtime: java8
      MemorySize: 512
      Policies:
        - CloudWatchPutMetricPolicy: {}  
        - S3ReadPolicy:
            BucketName: !Ref S3BucketName
        - DynamoDBWritePolicy:
            TableName: !GetAtt DynamoDBTable.Arn
      Environment:
        Variables:
          DynamoDB_Table_Name: !Ref DynamoDBTable
          
  ........................................
  ........................................
  ........................................
 DynamoDBTable:
    Type: AWS::DynamoDB::Table
    Properties:
      AttributeDefinitions:
       - AttributeName: id
         AttributeType: S
      KeySchema:
        - AttributeName: id
          KeyType: HASH   
      ProvisionedThroughput:
        ReadCapacityUnits: 5
        WriteCapacityUnits: 5       

Apart of Policy section everything works as intended.
For Policy Section, I am not sure that it is a AWS bug or I am doing something wrong.

1
Why its malformed? Because it does not have Version? its not clear what is the issue you are referring to. - Marcin
@Marcin are you not agree with my answer? - Manish Kumar
Hi. I made my comment before you posted the answer. - Marcin

1 Answers

0
votes

I resolved, It was just because I was taking !GetAtt DynamoDBTable.Arn at place of !Ref DynamoDBTable in Policy Section

 - DynamoDBWritePolicy:
    TableName: !Ref DynamoDBTable

Look like AWS SAM template engine missing necessary validations and have poor Object model, !GetAtt DynamoDBTable.Arn should return Object of Type ARN instead of just String.